The best security tools can’t protect a business if its people aren’t properly engaged. In this edition of Secure with Sagacent, I want to tackle the intersection of human behavior and cybersecurity compliance: a challenge costing businesses millions in preventable breaches. It’s a real bugbear of mine. Companies invest thousands in cutting-edge security systems but still fall short of compliance because they overlook the key factor: human behavior.
So what can we do about it, and how can we promote a culture of compliance?
Here’s your quick-read brief:
- Technical solutions alone won’t shield your business
- Building a security culture matters more than adding more tools
- Prevention costs less than recovery
- Your people are your strongest defense or your biggest vulnerability
When Systems and People Collide
If there’s one incident from 2024 that lays bare the true cost of overlooking the human factor it was the CrowdStrike-Microsoft fiasco. A single coding error brought global systems to a standstill, revealing how even tech giants with robust compliance systems can stumble when human factors come into play.
This wasn’t just a technical glitch. It highlighted gaps in code review processes, update deployment procedures, and compliance protocols that existed despite extensive security measures.
So what can we learn from the CrowdStrike incident? Their systems were top-notch, but a human oversight in code review led to a cascade of failures. This wasn’t about lacking technical controls. It was about the gap between having security measures and ensuring people follow them consistently.
The reality is that 95%* of cybersecurity issues have some human element, and 68%* of breaches in 2024 were traced back to human factors. Add to this the fact that nearly half* of all data breaches involve insider threats, either accidentally or intentionally, and the writing’s on the wall: we need to think differently about IT security.
Cutting-edge tech solutions are a vital security component, but they can’t come at the expense of building a culture of compliance among our teams.
Building a Compliance-First Culture
Culture change starts at the top, but not with directives alone. Too often, I hear business leaders say “Make us compliant” without understanding what that really means. True compliance isn’t about installing new security software; it’s about leadership rolling up their sleeves and getting involved.
Successful compliance needs leaders who understand the journey. They join security training sessions, ask questions, and recognize that meaningful change takes time because it involves shifting how people work, creating new procedures, and changing mindsets… not merely implementing new tech.
Look at your current practices. Are your teams rushing through security training just to tick boxes? Do you understand what your IT team needs to achieve compliance? Consider this: 31%* of cloud data breaches stem from simple configuration mistakes – not from malicious acts, but from gaps in training and understanding at all levels
A Compliance-First Action Plan
Turning awareness into action requires clear, practical steps. Here’s my recommended action plan for change you can follow and even start today:
1. Foster Clear Communication Procedures
Make policies straightforward and accessible. Drop the technical jargon and focus on clear guidance. Share real examples of security wins and lessons learned, keeping sensitive details private while making the message loud and clear.
2. Reward Good Practices
Create recognition programs for the teams maintaining strong compliance records. This isn’t about creating competition (well, maybe there is a case for carefully promoting a competitive spirit in some situations). But more importantly, it’s about building a culture where security awareness becomes second nature.
3. Build Smart Frameworks
Develop decision-making tools that guide your team toward secure choices. When security becomes part of your team’s daily workflow, compliance will follow. Focus on creating clear procedures for common security scenarios your staff can readily understand and carry out.
4. Consider How and Why Your Team Uses Tech
Technology should support your team, not replace their judgment. Focus on tools that make compliance easier, not more complicated. 84%* of IT leaders identify human error as the leading cause of major breaches. Even with the best security tech out there, remember that it must enable and empower your team, not replace or remove them from your security processes.
These steps lay the foundation, but the real change happens in how your team interacts with security measures day to day.
Systems People Work with, not Around
49%* of human error breaches happen from something as simple as sending sensitive information to the wrong recipient. While businesses rush to implement more technical controls they miss the simpler solution: helping their people work smarter through procedural and decision-making clarity.
Take email security for instance. Many businesses implement elaborate email security policies: multiple layers of encryption, complex approval workflows, detailed email classification systems, etc. These measures have their place, but they also risk your team creating workarounds to cope with high workloads (e.g. using personal email accounts).
Instead, focus on simpler, more effective measures. Configure your email system to hold sensitive outbound emails in a queue for 60 seconds before sending to give users the chance to catch and recall errors (messages sent to the wrong recipient, for example). Why not set up automated warnings when emails contain sensitive keywords or are addressed to external domains? These practical changes make it easier for your team to work securely while preventing common mistakes that lead to data breaches.
The companies leading in security today aren’t the ones with the most sophisticated systems or the costliest tech. They’re the ones whose people understand, value, and actively participate in security practices. Let’s make your company one of them.
Get Help To Build a Culture of Security and Compliance
Do you want to discuss how to build a stronger compliance culture in your organization? Let’s talk about practical steps that work for your specific situation. Contact Sagacent Technologies to chat about your business’s IT security posture.
Cybersecurity Glossary:
- Compliance Protocols: Established rules and procedures ensuring a business meets regulatory and security requirements.
- Insider Threats: Security risks that come from within an organization, including intentional and accidental employee actions.
- Configuration Mistakes: Errors in setting up software or systems that can create security vulnerabilities.
- Security Culture: The shared beliefs, practices, and behaviors within an organization that contribute to information security.
- Human Factors: The ways people interact with systems and processes that can affect security outcomes.
Extra reading, statistics cited in the text:
- IS Partners LLC (2024) Human Error Cybersecurity Statistics Report
- CrowdStrike Incident Report (2024)